A very strict new set of regulations concerning citizens’ data protection are set to take effect in the European Union (EU) this year, and these rules have businesses re-evaluating their current cybersecurity practices.

Called the General Data Protection Regulation, or GDPR for short, these regulations not only mandate how businesses that gather customer data must protect it, they also outline the severe penalties that companies will face for violating it.

Unfortunately for business owners (but fortunately for customers, especially those who’ve had their information stolen in the past), the GDPR does not differentiate how the data was compromised. Basically, if you collected it and stored it, you are the reason it was sitting there for a hacker to steal. Whether the information was stolen because of a rogue employee, sloppy or faulty cybersecurity protocols, or simply the incredible skills of a cybercriminal, the method no longer matters. It was the business’ job to secure it or not have it in the first place.

US business owners might be breathing a sigh of relief, thankful that these regulations are way over there in Europe. However, that relief is misplaced. If your company does business in the EU—whether you have a branch office there or you’re just a vendor who accepts international customers—you can find yourself held to these regulations, especially if there’s a problem down the road.

According to CSO Online, the following criteria for determining compliance can apply:

  • A presence in an EU country.
  • No presence in the EU, but it processes personal data of European residents.
  • More than 250 employees.
  • Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.

These regulations were adopted in the EU in April of 2016, but companies have until May 2018 to be in full compliance. To find out more about these requirements and how they affect your company, find out more at the EU’s GDPR website.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.